Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that presents an extinction-level danger for businesses of all sizes poorly prepared for an attack. Versions of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and continue to cause havoc. Recent variants of crypto-ransomware such as Ryuk and Hermes, as well as additional unnamed malware, not only encrypt online data files but also infect most available system protection mechanisms. Files replicated to the cloud can also be corrupted. In a vulnerable system, it can make automated recovery useless and basically sets the datacenter back to square one.

Getting back online services and data following a crypto-ransomware attack becomes a sprint against the clock as the targeted business struggles to contain the damage and clear the ransomware and to restore enterprise-critical activity. Because ransomware requires time to replicate, assaults are often launched during weekends and nights, when penetrations typically take more time to detect. This multiplies the difficulty of promptly assembling and orchestrating a capable mitigation team.

Progent has a range of help services for protecting enterprises from ransomware events. Among these are team member training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security gateways with AI capabilities to quickly detect and suppress day-zero cyber attacks. Progent in addition can provide the assistance of experienced ransomware recovery consultants with the track record and commitment to rebuild a breached network as quickly as possible.

Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will return the keys to decrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the key components of your IT environment. Without the availability of full information backups, this calls for a wide range of skill sets, top notch project management, and the ability to work 24x7 until the task is completed.

For two decades, Progent has provided professional Information Technology services for companies in Santa Monica and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of experience affords Progent the ability to rapidly ascertain necessary systems and consolidate the surviving components of your Information Technology system following a crypto-ransomware penetration and assemble them into a functioning system.

Progent's ransomware team has powerful project management systems to coordinate the complicated restoration process. Progent appreciates the urgency of working rapidly and in concert with a client's management and Information Technology staff to prioritize tasks and to get critical services back on-line as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Incident Recovery
A small business escalated to Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state cybercriminals, suspected of using technology exposed from Americaís National Security Agency. Ryuk targets specific businesses with little or no room for disruption and is one of the most profitable versions of ransomware viruses. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer located in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had frozen all business operations and manufacturing processes. The majority of the client's information backups had been online at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but ultimately called Progent.


"I cannot speak enough in regards to the support Progent provided us during the most fearful time of (our) businesses life. We most likely would have paid the hackers behind this attack if not for the confidence the Progent team afforded us. That you were able to get our messaging and key applications back into operation in less than five days was amazing. Every single consultant I spoke to or messaged at Progent was amazingly focused on getting my company operational and was working day and night to bail us out."

Progent worked together with the customer to rapidly determine and assign priority to the mission critical applications that had to be restored in order to restart company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus incident response best practices by halting lateral movement and removing active viruses. Progent then initiated the work of recovering Microsoft Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange email will not work without Windows AD, and the customerís MRP software utilized Microsoft SQL Server, which needs Windows AD for access to the information.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then helped perform reinstallations and storage recovery of critical systems. All Exchange schema and attributes were usable, which facilitated the restore of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Off-Line Data Files) on staff desktop computers and laptops in order to recover mail data. A recent offline backup of the customerís financials/ERP systems made it possible to recover these essential services back on-line. Although major work needed to be completed to recover totally from the Ryuk attack, essential systems were restored quickly:


"For the most part, the assembly line operation showed little impact and we produced all customer deliverables."

During the next month key milestones in the restoration project were made through tight collaboration between Progent engineers and the customer:

  • Internal web applications were restored without losing any data.
  • The MailStore Server containing more than 4 million historical emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were completely recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the desktops and laptops were back into operation.

"A lot of what went on those first few days is mostly a haze for me, but my team will not soon forget the urgency each and every one of you accomplished to help get our business back. Iíve utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This event was a testament to your capabilities."

Conclusion
A potential business extinction disaster was evaded by hard-working professionals, a broad spectrum of subject matter expertise, and tight teamwork. Although in post mortem the ransomware penetration detailed here could have been disabled with advanced security solutions and best practices, user and IT administrator training, and well designed incident response procedures for information backup and applying software patches, the fact is that state-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), thanks very much for making it so I could get rested after we made it past the first week. All of you did an fabulous effort, and if any of your team is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Santa Monica a portfolio of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services incorporate modern machine learning capability to detect zero-day strains of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis tools to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-based AV products. ProSight ASM protects local and cloud resources and offers a single platform to automate the entire threat lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry information security standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent can also assist you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates your backup activities and enables rapid restoration of critical files, applications and VMs that have become unavailable or damaged due to hardware failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's BDR consultants can provide advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical information. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to provide web-based control and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This decreases your exposure to external threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper level of inspection for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map out, track, optimize and debug their networking hardware like routers, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating time-consuming network management processes, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, locating appliances that need important updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system operating efficiently by checking the health of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so that all looming problems can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to a different hardware environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can eliminate as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.
For 24x7 Santa Monica Crypto-Ransomware Repair Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.